Message ID | 168262351129.2036355.1136491155595493268.stgit@firesoul (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | page_pool: new approach for leak detection and shutdown phase | expand |
Jesper Dangaard Brouer <brouer@redhat.com> writes: > This removes the workqueue scheme that periodically tests when > inflight reach zero such that page_pool memory can be freed. > > This change adds code to fast-path free checking for a shutdown flags > bit after returning PP pages. I think the general approach is workable, but spotted a few issues with the details, see below. > Performance is very important for PP, as the fast path is used for > XDP_DROP use-cases where NIC drivers recycle PP pages directly into PP > alloc cache. > > The goal were that this code change should have zero impact on this > fast-path. The slight code reorg of likely() are deliberate. Micro > benchmarking done via kernel module[1] on x86_64, shows this code > change only cost a single instruction extra (approx 0.3 nanosec on CPU > E5-1650 @3.60GHz). > > It is possible to make this code zero impact via static_key, but that > change is not considered worth the complexity. > > [1] https://github.com/netoptimizer/prototype-kernel/blob/master/kernel/lib/bench_page_pool_simple.c > > Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> > --- > include/net/page_pool.h | 9 ++-- > net/core/page_pool.c | 100 +++++++++++++++++++++++++++++------------------ > 2 files changed, 66 insertions(+), 43 deletions(-) > > diff --git a/include/net/page_pool.h b/include/net/page_pool.h > index c8ec2f34722b..a71c0f2695b0 100644 > --- a/include/net/page_pool.h > +++ b/include/net/page_pool.h > @@ -50,6 +50,9 @@ > PP_FLAG_DMA_SYNC_DEV |\ > PP_FLAG_PAGE_FRAG) > > +/* Internal flag: PP in shutdown phase, waiting for inflight pages */ > +#define PP_FLAG_SHUTDOWN BIT(8) > + > /* > * Fast allocation side cache array/stack > * > @@ -151,11 +154,6 @@ static inline u64 *page_pool_ethtool_stats_get(u64 *data, void *stats) > struct page_pool { > struct page_pool_params p; > > - struct delayed_work release_dw; > - void (*disconnect)(void *); > - unsigned long defer_start; > - unsigned long defer_warn; > - > u32 pages_state_hold_cnt; > unsigned int frag_offset; > struct page *frag_page; > @@ -165,6 +163,7 @@ struct page_pool { > /* these stats are incremented while in softirq context */ > struct page_pool_alloc_stats alloc_stats; > #endif > + void (*disconnect)(void *); > u32 xdp_mem_id; > > /* > diff --git a/net/core/page_pool.c b/net/core/page_pool.c > index e212e9d7edcb..b8359d84e30f 100644 > --- a/net/core/page_pool.c > +++ b/net/core/page_pool.c > @@ -23,9 +23,6 @@ > > #include <trace/events/page_pool.h> > > -#define DEFER_TIME (msecs_to_jiffies(1000)) > -#define DEFER_WARN_INTERVAL (60 * HZ) > - > #define BIAS_MAX LONG_MAX > > #ifdef CONFIG_PAGE_POOL_STATS > @@ -380,6 +377,10 @@ static struct page *__page_pool_alloc_pages_slow(struct page_pool *pool, > struct page *page; > int i, nr_pages; > > + /* API usage BUG: PP in shutdown phase, cannot alloc new pages */ > + if (WARN_ON(pool->p.flags & PP_FLAG_SHUTDOWN)) > + return NULL; > + > /* Don't support bulk alloc for high-order pages */ > if (unlikely(pp_order)) > return __page_pool_alloc_page_order(pool, gfp); > @@ -445,15 +446,20 @@ struct page *page_pool_alloc_pages(struct page_pool *pool, gfp_t gfp) > } > EXPORT_SYMBOL(page_pool_alloc_pages); > > +/* Avoid inlining code to avoid speculative fetching cacheline */ > +noinline u32 pp_read_hold_cnt(struct page_pool *pool) > +{ > + return READ_ONCE(pool->pages_state_hold_cnt); > +} > + > /* Calculate distance between two u32 values, valid if distance is below 2^(31) > * https://en.wikipedia.org/wiki/Serial_number_arithmetic#General_Solution > */ > #define _distance(a, b) (s32)((a) - (b)) > > -static s32 page_pool_inflight(struct page_pool *pool) > +static s32 __page_pool_inflight(struct page_pool *pool, > + u32 hold_cnt, u32 release_cnt) > { > - u32 release_cnt = atomic_read(&pool->pages_state_release_cnt); > - u32 hold_cnt = READ_ONCE(pool->pages_state_hold_cnt); > s32 inflight; > > inflight = _distance(hold_cnt, release_cnt); > @@ -464,6 +470,16 @@ static s32 page_pool_inflight(struct page_pool *pool) > return inflight; > } > > +static s32 page_pool_inflight(struct page_pool *pool) > +{ > + u32 hold_cnt = READ_ONCE(pool->pages_state_hold_cnt); > + u32 release_cnt = atomic_read(&pool->pages_state_release_cnt); > + return __page_pool_inflight(pool, hold_cnt, release_cnt); > +} > + > +static int page_pool_free_attempt(struct page_pool *pool, > + u32 hold_cnt, u32 release_cnt); > + > /* Disconnects a page (from a page_pool). API users can have a need > * to disconnect a page (from a page_pool), to allow it to be used as > * a regular page (that will eventually be returned to the normal > @@ -471,8 +487,10 @@ static s32 page_pool_inflight(struct page_pool *pool) > */ > void page_pool_release_page(struct page_pool *pool, struct page *page) > { > + unsigned int flags = READ_ONCE(pool->p.flags); > dma_addr_t dma; > - int count; > + u32 release_cnt; > + u32 hold_cnt; > > if (!(pool->p.flags & PP_FLAG_DMA_MAP)) > /* Always account for inflight pages, even if we didn't > @@ -490,11 +508,15 @@ void page_pool_release_page(struct page_pool *pool, struct page *page) > skip_dma_unmap: > page_pool_clear_pp_info(page); > > - /* This may be the last page returned, releasing the pool, so > - * it is not safe to reference pool afterwards. > - */ > - count = atomic_inc_return_relaxed(&pool->pages_state_release_cnt); > - trace_page_pool_state_release(pool, page, count); > + if (flags & PP_FLAG_SHUTDOWN) > + hold_cnt = pp_read_hold_cnt(pool); > + > + release_cnt = atomic_inc_return(&pool->pages_state_release_cnt); > + trace_page_pool_state_release(pool, page, release_cnt); > + > + /* In shutdown phase, last page will free pool instance */ > + if (flags & PP_FLAG_SHUTDOWN) > + page_pool_free_attempt(pool, hold_cnt, release_cnt); Since the assumption is that no new pages will be allocated once the PP_FLAG_SHUTDOWN is set (i.e., hold_count can not increase in the case), I don't think it matters what order you read the hold and release counts in? So you could simplify the above to just: > + if (flags & PP_FLAG_SHUTDOWN) > + page_pool_free_attempt(pool, pp_read_hold_cnt(pool), release_cnt); and drop the second check of the flag further up? You could probably even lose the hold_cnt argument entirely from page_pool_free_attempt() and just have it call pp_read_hold_cnt() directly? > } > EXPORT_SYMBOL(page_pool_release_page); > > @@ -535,7 +557,7 @@ static bool page_pool_recycle_in_ring(struct page_pool *pool, struct page *page) > static bool page_pool_recycle_in_cache(struct page *page, > struct page_pool *pool) > { > - if (unlikely(pool->alloc.count == PP_ALLOC_CACHE_SIZE)) { > + if (pool->alloc.count == PP_ALLOC_CACHE_SIZE) { > recycle_stat_inc(pool, cache_full); > return false; > } > @@ -546,6 +568,8 @@ static bool page_pool_recycle_in_cache(struct page *page, > return true; > } > > +static void page_pool_empty_ring(struct page_pool *pool); > + > /* If the page refcnt == 1, this will try to recycle the page. > * if PP_FLAG_DMA_SYNC_DEV is set, we'll try to sync the DMA area for > * the configured size min(dma_sync_size, pool->max_len). > @@ -572,7 +596,8 @@ __page_pool_put_page(struct page_pool *pool, struct page *page, > page_pool_dma_sync_for_device(pool, page, > dma_sync_size); > > - if (allow_direct && in_softirq() && > + /* During PP shutdown, no direct recycle must occur */ > + if (likely(allow_direct && in_softirq()) && > page_pool_recycle_in_cache(page, pool)) > return NULL; > > @@ -609,6 +634,8 @@ void page_pool_put_defragged_page(struct page_pool *pool, struct page *page, > recycle_stat_inc(pool, ring_full); > page_pool_return_page(pool, page); > } > + if (pool->p.flags & PP_FLAG_SHUTDOWN) > + page_pool_empty_ring(pool); > } > EXPORT_SYMBOL(page_pool_put_defragged_page); > > @@ -648,13 +675,17 @@ void page_pool_put_page_bulk(struct page_pool *pool, void **data, > > /* Hopefully all pages was return into ptr_ring */ > if (likely(i == bulk_len)) > - return; > + goto out; > > /* ptr_ring cache full, free remaining pages outside producer lock > * since put_page() with refcnt == 1 can be an expensive operation > */ > for (; i < bulk_len; i++) > page_pool_return_page(pool, data[i]); > + > +out: > + if (pool->p.flags & PP_FLAG_SHUTDOWN) > + page_pool_empty_ring(pool); > } > EXPORT_SYMBOL(page_pool_put_page_bulk); > > @@ -737,6 +768,7 @@ struct page *page_pool_alloc_frag(struct page_pool *pool, > } > EXPORT_SYMBOL(page_pool_alloc_frag); > > +noinline > static void page_pool_empty_ring(struct page_pool *pool) > { > struct page *page; > @@ -796,39 +828,29 @@ static void page_pool_scrub(struct page_pool *pool) > page_pool_empty_ring(pool); > } So this is not in the diff context, but page_pool_empty_ring() does this: static void page_pool_empty_ring(struct page_pool *pool) { struct page *page; /* Empty recycle ring */ while ((page = ptr_ring_consume_bh(&pool->ring))) { /* Verify the refcnt invariant of cached pages */ if (!(page_ref_count(page) == 1)) pr_crit("%s() page_pool refcnt %d violation\n", __func__, page_ref_count(page)); page_pool_return_page(pool, page); } } ...and with this patch, that page_pool_return_page() call will now free the pool memory entirely when the last page is returned. When it does this, the condition in the while loop will still execute afterwards; it would return false, but if the pool was freed, it's now referencing freed memory when trying to read from pool->ring. So I think page_pool_empty_ring needs to either pull out all the pages in the ring to an on-stack buffer before calling page_pool_return_page() on them, or there needs to be some other way to break the loop early. There are a couple of other places where page_pool_return_page() is called in a loop where the loop variable lives inside struct page_pool, so we need to be absolutely sure they will never be called in the shutdown stage, or they'll have to be fixed as well. > > -static int page_pool_release(struct page_pool *pool) > +noinline > +static int page_pool_free_attempt(struct page_pool *pool, > + u32 hold_cnt, u32 release_cnt) > { > int inflight; > > - page_pool_scrub(pool); > - inflight = page_pool_inflight(pool); > + inflight = __page_pool_inflight(pool, hold_cnt, release_cnt); > if (!inflight) > page_pool_free(pool); > > return inflight; > } > > -static void page_pool_release_retry(struct work_struct *wq) > +static int page_pool_release(struct page_pool *pool) > { > - struct delayed_work *dwq = to_delayed_work(wq); > - struct page_pool *pool = container_of(dwq, typeof(*pool), release_dw); > int inflight; > > - inflight = page_pool_release(pool); > + page_pool_scrub(pool); > + inflight = page_pool_inflight(pool); > if (!inflight) > - return; > - > - /* Periodic warning */ > - if (time_after_eq(jiffies, pool->defer_warn)) { > - int sec = (s32)((u32)jiffies - (u32)pool->defer_start) / HZ; > - > - pr_warn("%s() stalled pool shutdown %d inflight %d sec\n", > - __func__, inflight, sec); > - pool->defer_warn = jiffies + DEFER_WARN_INTERVAL; > - } > + page_pool_free(pool); > > - /* Still not ready to be disconnected, retry later */ > - schedule_delayed_work(&pool->release_dw, DEFER_TIME); > + return inflight; > } > > void page_pool_use_xdp_mem(struct page_pool *pool, void (*disconnect)(void *), > @@ -868,11 +890,13 @@ void page_pool_destroy(struct page_pool *pool) > if (!page_pool_release(pool)) > return; > > - pool->defer_start = jiffies; > - pool->defer_warn = jiffies + DEFER_WARN_INTERVAL; > + /* PP have pages inflight, thus cannot immediately release memory. > + * Enter into shutdown phase. > + */ > + pool->p.flags |= PP_FLAG_SHUTDOWN; I think there's another race here: once the flag is set in this line (does this need a memory barrier, BTW?), another CPU can return the last outstanding page, read the flag and call page_pool_empty_ring(). If this happens before the call to page_pool_empty_ring() below, you'll get a use-after-free. To avoid this, we could artificially bump the pool->hold_cnt *before* setting the flag above; that way we know that the page_pool_empty_ring() won't trigger a release, because inflight pages will never go below 1. And then, below the page_pool_empty_ring() call below, we can add an artificial bump of the release_cnt as well, which means we'll get proper atomic semantics on the counters and only ever release once. I.e.,: > - INIT_DELAYED_WORK(&pool->release_dw, page_pool_release_retry); > - schedule_delayed_work(&pool->release_dw, DEFER_TIME); > + /* Concurrent CPUs could have returned last pages into ptr_ring */ > + page_pool_empty_ring(pool); release_cnt = atomic_inc_return(&pool->pages_state_release_cnt); page_pool_free_attempt(pool, release_cnt); -Toke
On 27/04/2023 22.53, Toke Høiland-Jørgensen wrote: >> +noinline >> static void page_pool_empty_ring(struct page_pool *pool) >> { >> struct page *page; >> @@ -796,39 +828,29 @@ static void page_pool_scrub(struct page_pool *pool) >> page_pool_empty_ring(pool); >> } > So this is not in the diff context, but page_pool_empty_ring() does > this: > > static void page_pool_empty_ring(struct page_pool *pool) > { > struct page *page; > > /* Empty recycle ring */ > while ((page = ptr_ring_consume_bh(&pool->ring))) { > /* Verify the refcnt invariant of cached pages */ > if (!(page_ref_count(page) == 1)) > pr_crit("%s() page_pool refcnt %d violation\n", > __func__, page_ref_count(page)); > > page_pool_return_page(pool, page); > } > } > > ...and with this patch, that page_pool_return_page() call will now free > the pool memory entirely when the last page is returned. When it does > this, the condition in the while loop will still execute afterwards; it > would return false, but if the pool was freed, it's now referencing > freed memory when trying to read from pool->ring. Yes, that sounds like a problem. > So I think page_pool_empty_ring needs to either pull out all the pages > in the ring to an on-stack buffer before calling page_pool_return_page() > on them, or there needs to be some other way to break the loop early. Let me address this one first, I'll get back to the other in another reply. The usual/idiom way of doing this is to have a next pointer that is populated inside the loop before freeing the object. It should look like this (only compile tested): static void page_pool_empty_ring(struct page_pool *pool) { struct page *page, *next; next = ptr_ring_consume_bh(&pool->ring); /* Empty recycle ring */ while (next) { page = next; next = ptr_ring_consume_bh(&pool->ring); /* Verify the refcnt invariant of cached pages */ if (!(page_ref_count(page) == 1)) pr_crit("%s() page_pool refcnt %d violation\n", __func__, page_ref_count(page)); page_pool_return_page(pool, page); } } > There are a couple of other places where page_pool_return_page() is > called in a loop where the loop variable lives inside struct page_pool, > so we need to be absolutely sure they will never be called in the > shutdown stage, or they'll have to be fixed as well. The other loops are okay, but I spotted another problem in __page_pool_put_page() in "Fallback/non-XDP mode", but that is fixable. --Jesper
Jesper Dangaard Brouer <jbrouer@redhat.com> writes: > On 27/04/2023 22.53, Toke Høiland-Jørgensen wrote: >>> +noinline >>> static void page_pool_empty_ring(struct page_pool *pool) >>> { >>> struct page *page; >>> @@ -796,39 +828,29 @@ static void page_pool_scrub(struct page_pool *pool) >>> page_pool_empty_ring(pool); >>> } >> So this is not in the diff context, but page_pool_empty_ring() does >> this: >> >> static void page_pool_empty_ring(struct page_pool *pool) >> { >> struct page *page; >> >> /* Empty recycle ring */ >> while ((page = ptr_ring_consume_bh(&pool->ring))) { >> /* Verify the refcnt invariant of cached pages */ >> if (!(page_ref_count(page) == 1)) >> pr_crit("%s() page_pool refcnt %d violation\n", >> __func__, page_ref_count(page)); >> >> page_pool_return_page(pool, page); >> } >> } >> >> ...and with this patch, that page_pool_return_page() call will now free >> the pool memory entirely when the last page is returned. When it does >> this, the condition in the while loop will still execute afterwards; it >> would return false, but if the pool was freed, it's now referencing >> freed memory when trying to read from pool->ring. > > Yes, that sounds like a problem. > >> So I think page_pool_empty_ring needs to either pull out all the pages >> in the ring to an on-stack buffer before calling page_pool_return_page() >> on them, or there needs to be some other way to break the loop early. > > Let me address this one first, I'll get back to the other in another > reply. The usual/idiom way of doing this is to have a next pointer that > is populated inside the loop before freeing the object. > It should look like this (only compile tested): > > static void page_pool_empty_ring(struct page_pool *pool) > { > struct page *page, *next; > > next = ptr_ring_consume_bh(&pool->ring); > > /* Empty recycle ring */ > while (next) { > page = next; > next = ptr_ring_consume_bh(&pool->ring); > > /* Verify the refcnt invariant of cached pages */ > if (!(page_ref_count(page) == 1)) > pr_crit("%s() page_pool refcnt %d violation\n", > __func__, page_ref_count(page)); > > page_pool_return_page(pool, page); > } > } Yup, that works! >> There are a couple of other places where page_pool_return_page() is >> called in a loop where the loop variable lives inside struct page_pool, >> so we need to be absolutely sure they will never be called in the >> shutdown stage, or they'll have to be fixed as well. > > The other loops are okay, but I spotted another problem in > __page_pool_put_page() in "Fallback/non-XDP mode", but that is fixable. Alright, great! -Toke
On 27/04/2023 22.53, Toke Høiland-Jørgensen wrote: >> @@ -490,11 +508,15 @@ void page_pool_release_page(struct page_pool *pool, struct page *page) >> skip_dma_unmap: >> page_pool_clear_pp_info(page); >> >> - /* This may be the last page returned, releasing the pool, so >> - * it is not safe to reference pool afterwards. >> - */ >> - count = atomic_inc_return_relaxed(&pool->pages_state_release_cnt); >> - trace_page_pool_state_release(pool, page, count); >> + if (flags & PP_FLAG_SHUTDOWN) >> + hold_cnt = pp_read_hold_cnt(pool); >> + >> + release_cnt = atomic_inc_return(&pool->pages_state_release_cnt); >> + trace_page_pool_state_release(pool, page, release_cnt); >> + >> + /* In shutdown phase, last page will free pool instance */ >> + if (flags & PP_FLAG_SHUTDOWN) >> + page_pool_free_attempt(pool, hold_cnt, release_cnt); > > Since the assumption is that no new pages will be allocated once the > PP_FLAG_SHUTDOWN is set (i.e., hold_count can not increase in the case), > I don't think it matters what order you read the hold and release counts > in? So you could simplify the above to just: > >> + if (flags & PP_FLAG_SHUTDOWN) >> + page_pool_free_attempt(pool, pp_read_hold_cnt(pool), release_cnt); > and drop the second check of the flag further up? > > You could probably even lose the hold_cnt argument entirely from > page_pool_free_attempt() and just have it call pp_read_hold_cnt() directly? > I unfortunately think we have to keep this approach. The purpose is to read out data from *pool, such that it is safe to call page_pool_free_attempt() even when *pool memory have been freed. I believe there is a race window between atomic_inc_return() and freeing in page_pool_free_attempt(). (As we have tracepoints in this critical section we might even be able to increase the chance of the race) Imagine two CPUs freeing the last two PP pages. Hold=2 which means when release_cnt reach 2 inflight is zero. CPU-1 : release_cnt 1 = atomic_inc_return(); CPU-1 : gets preempted (or runs slow bpf-prog in tracepoint) CPU-2 : release_cnt 2 = atomic_inc_return(); CPU-2 : page_pool_free_attempt(pool, 2, release_cnt=2); CPU-2 : find no-inflight -> calls page_pool_free(pool) CPU-1 : page_pool_free_attempt(pool, 2, release_cnt=1); CPU-1 : *use-after-free* deref pool->pages_state_hold_cnt >> } >> EXPORT_SYMBOL(page_pool_release_page);
On 27/04/2023 22.53, Toke Høiland-Jørgensen wrote: >> @@ -868,11 +890,13 @@ void page_pool_destroy(struct page_pool *pool) >> if (!page_pool_release(pool)) >> return; >> >> - pool->defer_start = jiffies; >> - pool->defer_warn = jiffies + DEFER_WARN_INTERVAL; >> + /* PP have pages inflight, thus cannot immediately release memory. >> + * Enter into shutdown phase. >> + */ >> + pool->p.flags |= PP_FLAG_SHUTDOWN; > > I think there's another race here: once the flag is set in this line > (does this need a memory barrier, BTW?), another CPU can return the last > outstanding page, read the flag and call page_pool_empty_ring(). If this > happens before the call to page_pool_empty_ring() below, you'll get a > use-after-free. > > To avoid this, we could artificially bump the pool->hold_cnt *before* > setting the flag above; that way we know that the page_pool_empty_ring() > won't trigger a release, because inflight pages will never go below 1. > And then, below the page_pool_empty_ring() call below, we can add an > artificial bump of the release_cnt as well, which means we'll get proper > atomic semantics on the counters and only ever release once. I.e.,: > >> - INIT_DELAYED_WORK(&pool->release_dw, page_pool_release_retry); >> - schedule_delayed_work(&pool->release_dw, DEFER_TIME); >> + /* Concurrent CPUs could have returned last pages into ptr_ring */ >> + page_pool_empty_ring(pool); > release_cnt = atomic_inc_return(&pool->pages_state_release_cnt); > page_pool_free_attempt(pool, release_cnt); > I agree and I've implemented this solution (see V3 soon). I've used smp_store_release() instead of WRITE_ONCE(), because AFAIK smp_store_release() adds the memory barriers. --Jesper
diff --git a/include/net/page_pool.h b/include/net/page_pool.h index c8ec2f34722b..a71c0f2695b0 100644 --- a/include/net/page_pool.h +++ b/include/net/page_pool.h @@ -50,6 +50,9 @@ PP_FLAG_DMA_SYNC_DEV |\ PP_FLAG_PAGE_FRAG) +/* Internal flag: PP in shutdown phase, waiting for inflight pages */ +#define PP_FLAG_SHUTDOWN BIT(8) + /* * Fast allocation side cache array/stack * @@ -151,11 +154,6 @@ static inline u64 *page_pool_ethtool_stats_get(u64 *data, void *stats) struct page_pool { struct page_pool_params p; - struct delayed_work release_dw; - void (*disconnect)(void *); - unsigned long defer_start; - unsigned long defer_warn; - u32 pages_state_hold_cnt; unsigned int frag_offset; struct page *frag_page; @@ -165,6 +163,7 @@ struct page_pool { /* these stats are incremented while in softirq context */ struct page_pool_alloc_stats alloc_stats; #endif + void (*disconnect)(void *); u32 xdp_mem_id; /* diff --git a/net/core/page_pool.c b/net/core/page_pool.c index e212e9d7edcb..b8359d84e30f 100644 --- a/net/core/page_pool.c +++ b/net/core/page_pool.c @@ -23,9 +23,6 @@ #include <trace/events/page_pool.h> -#define DEFER_TIME (msecs_to_jiffies(1000)) -#define DEFER_WARN_INTERVAL (60 * HZ) - #define BIAS_MAX LONG_MAX #ifdef CONFIG_PAGE_POOL_STATS @@ -380,6 +377,10 @@ static struct page *__page_pool_alloc_pages_slow(struct page_pool *pool, struct page *page; int i, nr_pages; + /* API usage BUG: PP in shutdown phase, cannot alloc new pages */ + if (WARN_ON(pool->p.flags & PP_FLAG_SHUTDOWN)) + return NULL; + /* Don't support bulk alloc for high-order pages */ if (unlikely(pp_order)) return __page_pool_alloc_page_order(pool, gfp); @@ -445,15 +446,20 @@ struct page *page_pool_alloc_pages(struct page_pool *pool, gfp_t gfp) } EXPORT_SYMBOL(page_pool_alloc_pages); +/* Avoid inlining code to avoid speculative fetching cacheline */ +noinline u32 pp_read_hold_cnt(struct page_pool *pool) +{ + return READ_ONCE(pool->pages_state_hold_cnt); +} + /* Calculate distance between two u32 values, valid if distance is below 2^(31) * https://en.wikipedia.org/wiki/Serial_number_arithmetic#General_Solution */ #define _distance(a, b) (s32)((a) - (b)) -static s32 page_pool_inflight(struct page_pool *pool) +static s32 __page_pool_inflight(struct page_pool *pool, + u32 hold_cnt, u32 release_cnt) { - u32 release_cnt = atomic_read(&pool->pages_state_release_cnt); - u32 hold_cnt = READ_ONCE(pool->pages_state_hold_cnt); s32 inflight; inflight = _distance(hold_cnt, release_cnt); @@ -464,6 +470,16 @@ static s32 page_pool_inflight(struct page_pool *pool) return inflight; } +static s32 page_pool_inflight(struct page_pool *pool) +{ + u32 hold_cnt = READ_ONCE(pool->pages_state_hold_cnt); + u32 release_cnt = atomic_read(&pool->pages_state_release_cnt); + return __page_pool_inflight(pool, hold_cnt, release_cnt); +} + +static int page_pool_free_attempt(struct page_pool *pool, + u32 hold_cnt, u32 release_cnt); + /* Disconnects a page (from a page_pool). API users can have a need * to disconnect a page (from a page_pool), to allow it to be used as * a regular page (that will eventually be returned to the normal @@ -471,8 +487,10 @@ static s32 page_pool_inflight(struct page_pool *pool) */ void page_pool_release_page(struct page_pool *pool, struct page *page) { + unsigned int flags = READ_ONCE(pool->p.flags); dma_addr_t dma; - int count; + u32 release_cnt; + u32 hold_cnt; if (!(pool->p.flags & PP_FLAG_DMA_MAP)) /* Always account for inflight pages, even if we didn't @@ -490,11 +508,15 @@ void page_pool_release_page(struct page_pool *pool, struct page *page) skip_dma_unmap: page_pool_clear_pp_info(page); - /* This may be the last page returned, releasing the pool, so - * it is not safe to reference pool afterwards. - */ - count = atomic_inc_return_relaxed(&pool->pages_state_release_cnt); - trace_page_pool_state_release(pool, page, count); + if (flags & PP_FLAG_SHUTDOWN) + hold_cnt = pp_read_hold_cnt(pool); + + release_cnt = atomic_inc_return(&pool->pages_state_release_cnt); + trace_page_pool_state_release(pool, page, release_cnt); + + /* In shutdown phase, last page will free pool instance */ + if (flags & PP_FLAG_SHUTDOWN) + page_pool_free_attempt(pool, hold_cnt, release_cnt); } EXPORT_SYMBOL(page_pool_release_page); @@ -535,7 +557,7 @@ static bool page_pool_recycle_in_ring(struct page_pool *pool, struct page *page) static bool page_pool_recycle_in_cache(struct page *page, struct page_pool *pool) { - if (unlikely(pool->alloc.count == PP_ALLOC_CACHE_SIZE)) { + if (pool->alloc.count == PP_ALLOC_CACHE_SIZE) { recycle_stat_inc(pool, cache_full); return false; } @@ -546,6 +568,8 @@ static bool page_pool_recycle_in_cache(struct page *page, return true; } +static void page_pool_empty_ring(struct page_pool *pool); + /* If the page refcnt == 1, this will try to recycle the page. * if PP_FLAG_DMA_SYNC_DEV is set, we'll try to sync the DMA area for * the configured size min(dma_sync_size, pool->max_len). @@ -572,7 +596,8 @@ __page_pool_put_page(struct page_pool *pool, struct page *page, page_pool_dma_sync_for_device(pool, page, dma_sync_size); - if (allow_direct && in_softirq() && + /* During PP shutdown, no direct recycle must occur */ + if (likely(allow_direct && in_softirq()) && page_pool_recycle_in_cache(page, pool)) return NULL; @@ -609,6 +634,8 @@ void page_pool_put_defragged_page(struct page_pool *pool, struct page *page, recycle_stat_inc(pool, ring_full); page_pool_return_page(pool, page); } + if (pool->p.flags & PP_FLAG_SHUTDOWN) + page_pool_empty_ring(pool); } EXPORT_SYMBOL(page_pool_put_defragged_page); @@ -648,13 +675,17 @@ void page_pool_put_page_bulk(struct page_pool *pool, void **data, /* Hopefully all pages was return into ptr_ring */ if (likely(i == bulk_len)) - return; + goto out; /* ptr_ring cache full, free remaining pages outside producer lock * since put_page() with refcnt == 1 can be an expensive operation */ for (; i < bulk_len; i++) page_pool_return_page(pool, data[i]); + +out: + if (pool->p.flags & PP_FLAG_SHUTDOWN) + page_pool_empty_ring(pool); } EXPORT_SYMBOL(page_pool_put_page_bulk); @@ -737,6 +768,7 @@ struct page *page_pool_alloc_frag(struct page_pool *pool, } EXPORT_SYMBOL(page_pool_alloc_frag); +noinline static void page_pool_empty_ring(struct page_pool *pool) { struct page *page; @@ -796,39 +828,29 @@ static void page_pool_scrub(struct page_pool *pool) page_pool_empty_ring(pool); } -static int page_pool_release(struct page_pool *pool) +noinline +static int page_pool_free_attempt(struct page_pool *pool, + u32 hold_cnt, u32 release_cnt) { int inflight; - page_pool_scrub(pool); - inflight = page_pool_inflight(pool); + inflight = __page_pool_inflight(pool, hold_cnt, release_cnt); if (!inflight) page_pool_free(pool); return inflight; } -static void page_pool_release_retry(struct work_struct *wq) +static int page_pool_release(struct page_pool *pool) { - struct delayed_work *dwq = to_delayed_work(wq); - struct page_pool *pool = container_of(dwq, typeof(*pool), release_dw); int inflight; - inflight = page_pool_release(pool); + page_pool_scrub(pool); + inflight = page_pool_inflight(pool); if (!inflight) - return; - - /* Periodic warning */ - if (time_after_eq(jiffies, pool->defer_warn)) { - int sec = (s32)((u32)jiffies - (u32)pool->defer_start) / HZ; - - pr_warn("%s() stalled pool shutdown %d inflight %d sec\n", - __func__, inflight, sec); - pool->defer_warn = jiffies + DEFER_WARN_INTERVAL; - } + page_pool_free(pool); - /* Still not ready to be disconnected, retry later */ - schedule_delayed_work(&pool->release_dw, DEFER_TIME); + return inflight; } void page_pool_use_xdp_mem(struct page_pool *pool, void (*disconnect)(void *), @@ -868,11 +890,13 @@ void page_pool_destroy(struct page_pool *pool) if (!page_pool_release(pool)) return; - pool->defer_start = jiffies; - pool->defer_warn = jiffies + DEFER_WARN_INTERVAL; + /* PP have pages inflight, thus cannot immediately release memory. + * Enter into shutdown phase. + */ + pool->p.flags |= PP_FLAG_SHUTDOWN; - INIT_DELAYED_WORK(&pool->release_dw, page_pool_release_retry); - schedule_delayed_work(&pool->release_dw, DEFER_TIME); + /* Concurrent CPUs could have returned last pages into ptr_ring */ + page_pool_empty_ring(pool); } EXPORT_SYMBOL(page_pool_destroy);
This removes the workqueue scheme that periodically tests when inflight reach zero such that page_pool memory can be freed. This change adds code to fast-path free checking for a shutdown flags bit after returning PP pages. Performance is very important for PP, as the fast path is used for XDP_DROP use-cases where NIC drivers recycle PP pages directly into PP alloc cache. The goal were that this code change should have zero impact on this fast-path. The slight code reorg of likely() are deliberate. Micro benchmarking done via kernel module[1] on x86_64, shows this code change only cost a single instruction extra (approx 0.3 nanosec on CPU E5-1650 @3.60GHz). It is possible to make this code zero impact via static_key, but that change is not considered worth the complexity. [1] https://github.com/netoptimizer/prototype-kernel/blob/master/kernel/lib/bench_page_pool_simple.c Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> --- include/net/page_pool.h | 9 ++-- net/core/page_pool.c | 100 +++++++++++++++++++++++++++++------------------ 2 files changed, 66 insertions(+), 43 deletions(-)